Gabriel, As Dale mentioned, service tickets (ST) are generated by a specific CAS server for a specific application URL (the service parameter specified when users are redirected to CAS login servlet). Normally these tickets are expired after a single use, which is stated in the WEB-INF/spring-configuration/ticketExpirationPolicies.xml, however it is possible to reconfigure your CAS deployment to allow ST to be used for validation multiple times. I must speak a word of caution as I believe most people do not use this feature, so don¹t take this as a recommendation to do so. If ST were allowed to be reused, it would be possible for someone to get a hold of a ST and by knowing the URL of the application it was created for, they could have it validated by the CAS server and get back the user¹s username.
In summary, you shouldn¹t worry about the scenario as it should not occur. HTH, A On 10/14/08 5:05 AM, "Dale Ogilvie" <[EMAIL PROTECTED]> wrote: > The ticket you get back from CAS will only be valid for your own site. If you > attach it to another service url, it will be invalid when validated by the > other service. > > I think "service specific tickets" is the aspect of CAS that prevents stolen > tickets from being useful, service tickets only compromise the service they > are generated for. > > > From: [EMAIL PROTECTED] on behalf of Gabriel Falkenberg > Sent: Tue 14/10/2008 8:07 p.m. > To: Yale CAS mailing list > Subject: Stealing tickets by installing a CAS-client on attacker's site? > > Hi, I'm probably just missing something here but I have a question > regarding the standard configuration of the 3.3 CAS server. Using the > standard configuration what stops the following from happening: > > 1. I have a site which I know is visited by lots of students from a > university that uses CAS > > 2. I install a CAS filter on my own site using the university's CAS > server in gateway mode which takes everyone to the CAS server and back > transparently. > > 3. The students that are logged in will bring back a ticket to my site > so for every logged in student I get a ticket. > > 4. I take the ticket and paste into the URL of a real university site > which uses CAS. > > 5. That site sends the ticket to the CAS server and I am logged in as > the student I stole the ticket from. > > I am sure some aspect of CAS stops the above from happening but which > aspect is it? Does the standard configuration needs to be changed in > order to prevent the above scenario? > > Best Regards > Gabriel Falkenberg > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- Andrew R. Feller, Analyst Information Technology Services 200 Fred Frey Building Louisiana State University Baton Rouge, LA 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax)
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
